blue globe


Records and information management (RIM) programs come full circle

Records management risk assessments attract C-suite attention

Records and information management (RIM) became an imperative for businesses in the early 2000s in the wake of the Sarbanes-Oxley (SOX) Act. Heavy investments in RIM personnel, technology, processes, and governance were not uncommon to support compliance with SOX record-retention requirements. However, the investments were often proportionally applied to areas of perceived external risk and not necessarily to broad-based enterprise-wide programs.

What do you want your RIM program to be?

On this page, we discuss three opening issues:

  • Defining a RIM program
  • Determining a RIM operating model
  • Deciding where the RIM program should reside in the organization

Then we describe a hybrid, federated model to encourage RIM standardization across an enterprise, as well as optimization of processes to promote consistency and quality of RIM service delivery.

Defining a RIM program

Policies and procedures. The organization needs guidance to understand how to create, maintain, and dispose of records. The tools generally used to establish this guidance are policies, such as a RIM policy and retention schedules, which include defining record types and associated required maintenance periods (sometimes including how records should be maintained) and procedures—the specifics of what end users should do to comply.

Oversight and reporting. Generally, RIM is an enterprise function. For the RIM program to be able to gather information and report on how RIM is operating, the RIM program needs to partner with other parts of the organization, such as lines of business (LOBs) and other functions, depending on the organization’s structure.

Operations and delivery. Depending on the organization, the RIM program may be responsible for delivering technology capabilities, training, or advisory roles. From this perspective, LOBs and other functions are clients of the RIM program.

Stakeholder engagement. Stakeholders across the enterprise can be diverse. The RIM program needs to manage across the stakeholder set.

pink star gaze

With RIM demands growing, it’s time to act

Many multinational organizations have a global RIM program, even one as barebones as a policy, a retention schedule, limited in-house counsel time, and outside counsel responsible to update the policy at intervals. Often such programs focus on mission-critical records maintenance, especially in companies and industries subject to a direct reporting requirement to a government or other external agency. Records management activities not deemed mission-critical often receive less attention and support, and may not be performed on par with established the global RIM policy.

Companies with an inadequate RIM program may face several risks:
  • Too much data. Often, more data is retained than necessary because records managers may not be enforcing records maintenance principles with the business and stakeholders. Not only can this create unnecessary day-to-day storage costs, but in the case of litigation or regulatory investigation too much data can cause delays in responding to discovery requirements, create a nightmare scenario for legal personnel tasked with discovery, and result in significant costs.
  • Retrieval challenges. Without a consistently defined RIM process, standard retrieval tools may not be used, making it difficult to find and retrieve relevant records in a cost-effective manner.
  • Non-compliant data disposition. Often, data and other records are disposed of without consideration of potential consequences, sometimes as a way to avoid maintenance costs. This can present create legal or regulatory exposure and the potential for significant fines and other penalties.

In the absence of a broad-based RIM program, these risks can materialize very quickly today. An important question for senior executives of multinational businesses is what level of investment might produce an effective RIM program that aligns with corporate objectives and risk appetite? Whether a centralized, decentralized, or hybrid federated model, an effective RIM program can support transparency and visibility that vital in a world that increasingly values data protection, privacy, and security.

blue star gaze
Did you find this useful?